RE: General update on CR and test-suite from GALINDO Virginie on 2016-02-22 (public-webcrypto@w3.org from February 2016)

From: GALINDO Virginie <Virginie.Galindo@gemalto.com>
Date: Mon, 22 Feb 2016 17:45:13 +0000
To: hhalpin <hhalpin@w3.org>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <540E99C53248CE468F6F7702588ABA2A0144F6CBB0@A1GTOEMBXV005.gto.a3c.atos.net>

Harry,

Thanks for the sumup, appreciated.
Note that I cannot switch to weekly calls.

Regards,

Virginie
Chair of the web crypto WG

-----Original Message-----
From: hhalpin [mailto:hhalpin@w3.org]
Sent: lundi 22 février 2016 11:57
To: public-webcrypto@w3.org
Subject: General update on CR and test-suite

Since we have some new members, here's the current state of play to update (and old members know this already, but you may want to swap it in before the call).

The goal of getting to CR is to make the spec reflect accurately the reality. Each underlying feature should have two independent implementations, which in our case is two independent browser teams (so Chrome on Android and Chrome on Windows don't count, but Chrome on Android vs. Edge on Windows counts).

* Getting to CR:

First, we have to resolve two formal objections. We have already sent a list of attacks made by Graham Steel (INRIA) to IRTF [1] and so we just need to add a reference to that for the spec and I need to give it a quick update to reflect latest rounds of comments and another INRIA/ENISA internal review. The second is to determine the state of play with non-NIST curves, i.e. most likely Curve25519 in terms of implementation. Unless two browsers have committed to implementing
Curve25519 and revealing to WebCrypto, then we can say its still en-route and we'll update when that's ready, and the liaison with IRTF CFRG continues.

The last part is we have to show that we show for our CR *at minimum* that algorithms have at least two implementations. If they don't, he wanted them removed from the spec.

Here's my last check from Nov 2015:
https://www.w3.org/2012/webcrypto/CR-report/

Based on:
https://github.com/diafygi/webcrypto-examples/

It needs to be updated to reflect RSA-PSS support by Firefox, and we need to actually remove the algorithms from spec that are not being implemented across two or more browsers.

* Test-suite

We can also, as Ryan wants, do a much more thorough testing. For an example of this, see:

http://testthewebforward.org/

And then those tests are added to the HTML5 effort [2] (see test of randomValues for an example). I earlier wanted to do this, but currently browser test-suites would need to be converted, or we'd have to redo the tests. If I can find 2-3 people to help with this task, I'm all for it and pushing it hard over the next few months.

* Work mode

Up until now we were/are using W3C's repo. I migrated the spec to Github and suggest we migrate all issues and close the W3C's repo down for the final push on WebCrypto to CR.

I suggest weekly meetings to really push things over the next few months if people are OK with that.

Any thoughts?

   yours,
     harry

[1]
https://datatracker.ietf.org/doc/draft-irtf-cfrg-webcrypto-algorithms/
[2] https://github.com/w3c/web-platform-tests/tree/master/WebCryptoAPI
--

Harry Halpin (W3C/MIT) harry@w3.org

________________________________
 This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.

Received on Monday, 22 February 2016 17:45:49 UTC